private static bool IsAnonymousUserAuthorizedForMultipleSecurityActions(SecurityActions securityRequests, bool isPrivateAlbum, IGallerySettings gallerySettings, SecurityActionsOption secActionsOption)
{
// There are multiple security actions in securityAction enum. Iterate through each one and determine if the user
// has permission for it.
List <bool> authResults = new List <bool>();
foreach (SecurityActions securityAction in SecurityActionEnumHelper.ParseSecurityAction(securityRequests))
{
authResults.Add(IsAnonymousUserAuthorizedForSingleSecurityAction(securityAction, isPrivateAlbum, gallerySettings));
}
if (secActionsOption == SecurityActionsOption.RequireAll)
{
return(authResults.Count > 0 ? authResults.TrueForAll(delegate(bool value) { return value; }) : false);
}
else if (secActionsOption == SecurityActionsOption.RequireOne)
{
return(authResults.Contains(true));
}
else
{
throw new InvalidEnumArgumentException("secActionsOption", (int)secActionsOption, typeof(SecurityActionsOption));
}
}
/// <summary>
/// Determine whether the user belonging to the specified <paramref name="roles" /> has permission to perform all of the specified security
/// actions against the specified <paramref name="albumId" />. The user may be anonymous or logged on.
/// When the the user is logged on (i.e. <paramref name="isAuthenticated" /> = true), this method determines whether the user is authorized by
/// validating that at least one role has the requested permission to the specified album. When the user is anonymous,
/// the <paramref name="roles" /> parameter is ignored and instead the <paramref name="isPrivateAlbum" /> parameter is used.
/// Anonymous users do not have any access to private albums. When the the user is logged on (i.e. <paramref name="isAuthenticated" /> = true),
/// the <paramref name="roles" /> parameter must contain the roles belonging to the user.
/// </summary>
/// <param name="securityRequests">Represents the permission or permissions being requested. Multiple actions can be specified by using
/// a bitwise OR between them (example: <see cref="SecurityActions.AdministerSite" /> | <see cref="SecurityActions.AdministerGallery" />).
/// If multiple actions are specified, use <paramref name="secActionsOption" /> to specify whether all of the actions must be satisfied
/// to be successful or only one item must be satisfied.</param>
/// <param name="roles">A collection of Gallery Server roles to which the currently logged-on user belongs. This parameter is ignored
/// for anonymous users (i.e. <paramref name="isAuthenticated" />=false). The parameter may be null.</param>
/// <param name="albumId">The album for which the requested permission applies. This parameter does not apply when the requested permission
/// is <see cref="SecurityActions.AdministerSite" /> or <see cref="SecurityActions.AdministerGallery" />.</param>
/// <param name="galleryId">The ID for the gallery the user is requesting permission in. The <paramref name="albumId" /> must exist in this
/// gallery. This parameter is not required <paramref name="securityRequests" /> is SecurityActions.AdministerSite (you can specify
/// <see cref="int.MinValue" />).</param>
/// <param name="isAuthenticated">A value indicating whether the current user is logged on. If true, the
/// <paramref name="roles" /> parameter should contain the names of the roles for the current user. If <paramref name="isAuthenticated" />=true
/// and the <paramref name="roles" /> parameter is either null or an empty collection, this method returns false.</param>
/// <param name="isPrivateAlbum">A value indicating whether the album is hidden from anonymous users. This parameter is ignored for
/// logged-on users.</param>
/// <param name="secActionsOption">Specifies whether the user must have permission for all items in <paramref name="securityRequests" />
/// to be successful or just one. This parameter defaults to SecurityActionsOption.RequireAll when not specified, and is applicable only
/// when <paramref name="securityRequests" /> contains more than one item.</param>
/// <param name="isVirtualAlbum">if set to <c>true</c> the album is a virtual album.</param>
/// <returns>
/// Returns true if the user has the requested permission; returns false if not.
/// </returns>
/// <exception cref="System.ArgumentOutOfRangeException"></exception>
/// <exception cref="System.ComponentModel.InvalidEnumArgumentException"></exception>
/// <remarks>
/// This method handles both anonymous and logged on users. Note that when <paramref name="isAuthenticated" />=true, the
/// <paramref name="isPrivateAlbum" /> parameter is ignored. When it is false, the <paramref name="roles" /> parameter is ignored.
/// </remarks>
public static bool IsUserAuthorized(SecurityActions securityRequests, IGalleryServerRoleCollection roles, int albumId, int galleryId, bool isAuthenticated, bool isPrivateAlbum, SecurityActionsOption secActionsOption, bool isVirtualAlbum)
{
#region Validation
if (isAuthenticated && !isVirtualAlbum && ((roles == null) || (roles.Count == 0)))
{
return(false);
}
var userIsRequestingSysAdminPermission = (securityRequests & SecurityActions.AdministerSite) == SecurityActions.AdministerSite;
var userIsRequestingGalleryAdminPermission = (securityRequests & SecurityActions.AdministerGallery) == SecurityActions.AdministerGallery;
if (galleryId == int.MinValue)
{
var isMoreThanOnePermissionRequest = !SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests);
if (isMoreThanOnePermissionRequest || !userIsRequestingSysAdminPermission)
{
throw new ArgumentOutOfRangeException("galleryId", String.Format(CultureInfo.CurrentCulture, "A valid gallery ID must be specified. Instead, the value was {0}.", galleryId));
}
}
#endregion
if (isVirtualAlbum && (!userIsRequestingSysAdminPermission && !userIsRequestingGalleryAdminPermission))
{
return(true); // Virtual albums are always allowed, but only for non-admin requests. This feels hacky and non-intuitive; should try to improve someday
}
// Handle anonymous users.
if (!isAuthenticated)
{
return(IsAnonymousUserAuthorized(securityRequests, isPrivateAlbum, galleryId, secActionsOption));
}
// If we get here we are dealing with an authenticated (logged on) user. Authorization for authenticated users is
// given if the user is a member of at least one role that provides permission.
if (SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests))
{
// Iterate through each GalleryServerRole. If at least one allows the action, return true. Note that the
// AdministerSite security action, if granted, applies to all albums and allows all actions (except HideWatermark).
foreach (IGalleryServerRole role in roles)
{
if (IsAuthenticatedUserAuthorized(securityRequests, role, albumId, galleryId))
{
return(true);
}
}
return(false);
}
else
{
// There are multiple security actions in securityRequest enum. Iterate through each one and determine if the user
// has permission for it.
List <bool> authResults = new List <bool>();
foreach (SecurityActions securityAction in SecurityActionEnumHelper.ParseSecurityAction(securityRequests))
{
// Iterate through each role. If at least one role allows the action, permission is granted.
foreach (IGalleryServerRole role in roles)
{
bool authResult = IsAuthenticatedUserAuthorized(securityAction, role, albumId, galleryId);
authResults.Add(authResult);
if (authResult)
{
break; // We found a role that provides permission, so no need to check the other roles. Just move on to the next security request.
}
}
}
// Determine the return value based on what the calling method wanted.
if (secActionsOption == SecurityActionsOption.RequireAll)
{
return(authResults.Count > 0 ? authResults.TrueForAll(delegate(bool value) { return value; }) : false);
}
else if (secActionsOption == SecurityActionsOption.RequireOne)
{
return(authResults.Contains(true));
}
else
{
throw new InvalidEnumArgumentException("secActionsOption", (int)secActionsOption, typeof(SecurityActionsOption));
}
}
}